fix(relaunch): address self-review (mobile nav, discussion 404, write spam)

Review fixes before PR:
- H1: discussion/question/til/resource posts now resolve in the [username]/[slug]
  reader (getUserPost broadened from article-only); ComposeModal builds the
  canonical /{username}/{slug} URL (threaded username) instead of the legacy
  /articles redirect that 404s for new posts
- H2: add a bottom MobileNav (≤720px) so mobile users can reach Home/Discussions/
  Jobs/Notifications/Profile + Create; hide the sign-in bar on mobile
- H3: rate-limit content.create when published (10/5min per user) — the quick
  compose path can no longer be scripted to flood the feed
- H4: rate-limit + IP-throttle the public sponsor.submit (3/hr per IP)
- M1: escape LIKE metacharacters in search to prevent wildcard scans
- L1: sponsor email subject falls back to name when company is omitted

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: NiallJoeMaher

app/(app)/[username]/[slug]/page.tsx

@@ -20,7 +20,7 @@ import type { JSONContent } from "@tiptap/core";
 import NotFound from "@/components/NotFound/NotFound";
 import { db } from "@/server/db";
 import { posts, user, feed_sources, post_tags, tag } from "@/server/db/schema";
-import { eq, and, lte } from "drizzle-orm";
+import { eq, and, lte, inArray } from "drizzle-orm";
 import FeedArticleContent from "./_feedArticleContent";
 import LinkContentDetail from "./_linkContentDetail";
 import UserLinkDetail from "./_userLinkDetail";
@@ -73,7 +73,9 @@ async function getUserPost(username: string, postSlug: string) {
         eq(posts.slug, postSlug),
         eq(posts.authorId, userRecord.id),
         eq(posts.status, "published"),
-        eq(posts.type, "article"),
+        // Text-content kinds all render via the article reader (title + body +
+        // discussion). Links have their own resolver below.
+        inArray(posts.type, ["article", "discussion", "question", "til", "resource"]),
         lte(posts.publishedAt, new Date().toISOString()),
       ),
     )

components/Create/ComposeModal.tsx

@@ -28,9 +28,11 @@ function parseDomain(url: string): string | null {
  */
 export function ComposeModal({
   mode,
+  username,
   onClose,
 }: {
   mode: ComposeMode;
+  username: string | null;
   onClose: () => void;
 }) {
   const router = useRouter();
@@ -47,7 +49,10 @@ export function ComposeModal({
     api.content.create.useMutation({
       onSuccess: (post) => {
         void utils.content.getFeed.invalidate();
-        const href = post?.slug ? `/articles/${post.slug}` : "/feed";
+        // New posts live in the `posts` table; the canonical URL is
+        // /{username}/{slug}. Fall back to the feed if we lack the username.
+        const href =
+          post?.slug && username ? `/${username}/${post.slug}` : "/feed";
         setDone({ href });
       },
       onError: (err) => {

components/Create/ShellActionsProvider.tsx

@@ -31,9 +31,11 @@ export function useShellActions(): ShellActions {
  */
 export function ShellActionsProvider({
   authed,
+  username,
   children,
 }: {
   authed: boolean;
+  username: string | null;
   children: React.ReactNode;
 }) {
   const [compose, setCompose] = useState<ComposeMode | null>(null);
@@ -77,7 +79,11 @@ export function ShellActionsProvider({
         />
       )}
       {compose && (
-        <ComposeModal mode={compose} onClose={() => setCompose(null)} />
+        <ComposeModal
+          mode={compose}
+          username={username}
+          onClose={() => setCompose(null)}
+        />
       )}
       {topicsOpen && <TopicsModal onClose={() => setTopicsOpen(false)} />}
     </ShellActionsContext.Provider>

components/Layout/AppShell.tsx

@@ -6,6 +6,7 @@ import { TopBar } from "./TopBar";
 import { LeftRail } from "./LeftRail";
 import { RightRail } from "./RightRail";
 import { SignInBar } from "./SignInBar";
+import { MobileNav } from "./MobileNav";
 import { CommandPalette } from "@/components/CommandPalette/CommandPalette";
 import { ShellActionsProvider } from "@/components/Create/ShellActionsProvider";
 
@@ -54,7 +55,7 @@ export function AppShell({ children, session, username }: AppShellProps) {
   }, [paletteOpen]);
 
   return (
-    <ShellActionsProvider authed={!!session}>
+    <ShellActionsProvider authed={!!session} username={username}>
       <div
         className="min-h-svh bg-canvas text-fg"
         style={{ paddingBottom: session ? 0 : 56 }}
@@ -72,6 +73,7 @@ export function AppShell({ children, session, username }: AppShellProps) {
 
         {paletteOpen && <CommandPalette onClose={closePalette} />}
         {!session && <SignInBar />}
+        <MobileNav session={session} username={username} />
       </div>
     </ShellActionsProvider>
   );

components/Layout/MobileNav.tsx

@@ -0,0 +1,75 @@
+"use client";
+
+import Link from "next/link";
+import { usePathname } from "next/navigation";
+import { signIn } from "next-auth/react";
+import { type Session } from "next-auth";
+import { useShellActions } from "@/components/Create/ShellActionsProvider";
+
+/**
+ * Bottom nav for small screens (≤720px), where the top-bar nav is absent and
+ * the left rail is hidden. Keeps the primary destinations + Create reachable on
+ * mobile. Shown via the `.app-mobilenav` media query in globals.css.
+ */
+export function MobileNav({
+  session,
+  username,
+}: {
+  session: Session | null;
+  username: string | null;
+}) {
+  const pathname = usePathname();
+  const { openCompose } = useShellActions();
+
+  const items = session
+    ? [
+        { name: "Home", href: "/feed" },
+        { name: "Discuss", href: "/discussions" },
+        { name: "Jobs", href: "/jobs" },
+        { name: "Alerts", href: "/notifications" },
+        { name: "You", href: `/${username || "settings"}` },
+      ]
+    : [
+        { name: "Home", href: "/feed" },
+        { name: "Discuss", href: "/discussions" },
+        { name: "Jobs", href: "/jobs" },
+      ];
+
+  const isActive = (href: string) =>
+    href === "/feed"
+      ? pathname === "/feed" || pathname === "/"
+      : pathname?.startsWith(href);
+
+  return (
+    <nav className="app-mobilenav" aria-label="Primary">
+      {items.map((item) => (
+        <Link
+          key={item.name}
+          href={item.href}
+          aria-current={isActive(item.href) ? "page" : undefined}
+          className={`flex flex-1 items-center justify-center py-2 text-xs font-medium transition-colors ${
+            isActive(item.href) ? "text-fg" : "text-muted"
+          }`}
+        >
+          {item.name}
+        </Link>
+      ))}
+      {session ? (
+        <button
+          onClick={() => openCompose("discussion")}
+          aria-label="Create a post"
+          className="flex flex-1 items-center justify-center py-2 text-xs font-semibold text-accent"
+        >
+          + Create
+        </button>
+      ) : (
+        <button
+          onClick={() => signIn()}
+          className="flex flex-1 items-center justify-center py-2 text-xs font-semibold text-accent"
+        >
+          Join
+        </button>
+      )}
+    </nav>
+  );
+}

components/Layout/SignInBar.tsx

@@ -13,7 +13,7 @@ export function SignInBar() {
 
   return (
     <div
-      className="fixed inset-x-0 bottom-0 z-[45] border-t border-strong"
+      className="fixed inset-x-0 bottom-0 z-[45] border-t border-strong max-[720px]:hidden"
       style={{
         background: "color-mix(in srgb, rgb(var(--color-elevated)) 92%, transparent)",
         backdropFilter: "blur(12px)",

server/api/router/content.ts

@@ -48,6 +48,7 @@ import {
   screenContent,
   notifyAdminOfReview,
 } from "@/server/lib/moderation";
+import { rateLimit } from "@/server/lib/rateLimit";
 import crypto from "crypto";
 
 // Helper to generate slug from title
@@ -562,6 +563,18 @@ export const contentRouter = createTRPCRouter({
     .mutation(async ({ ctx, input }) => {
       const userId = ctx.session.user.id;
 
+      // Throttle publishing so the quick-compose path can't be scripted to
+      // flood the feed (drafts are unmetered). 10 published posts / 5 min.
+      if (input.published) {
+        const { success } = rateLimit(`create:${userId}`, 10, 5 * 60_000);
+        if (!success) {
+          throw new TRPCError({
+            code: "TOO_MANY_REQUESTS",
+            message: "You're posting too fast. Take a breather and try again.",
+          });
+        }
+      }
+
       // Validate based on content type
       if (input.type === "POST" && !input.body) {
         throw new TRPCError({

server/api/router/search.ts

@@ -40,7 +40,10 @@ export const searchRouter = createTRPCRouter({
         });
       }
 
-      const like = `%${query}%`;
+      // Escape LIKE metacharacters so a query of "%"/"_" can't broaden into an
+      // expensive full scan (Postgres treats backslash as the default escape).
+      const escaped = query.replace(/[\\%_]/g, "\\$&");
+      const like = `%${escaped}%`;
       const limit = input.limit;
 
       const [postRows, peopleRows, tagRows] = await Promise.all([

server/api/router/sponsor.ts

@@ -10,11 +10,23 @@ import { TRPCError } from "@trpc/server";
 import { createSponsorInquiryEmailTemplate } from "@/utils/createSponsorInquiryEmailTemplate";
 import { sponsor_inquiry } from "@/server/db/schema";
 import { db } from "@/server/db";
+import { rateLimit, clientIpFromHeaders } from "@/server/lib/rateLimit";
 
 export const sponsorRouter = createTRPCRouter({
   submit: publicProcedure
     .input(SponsorInquirySchema)
-    .mutation(async ({ input }) => {
+    .mutation(async ({ input, ctx }) => {
+      // Public, unauthenticated endpoint that writes a row + sends an email, so
+      // throttle by IP to stop scripted flooding. 3 inquiries / hour per IP.
+      const ip = clientIpFromHeaders(ctx.headers);
+      const { success } = rateLimit(`sponsor:${ip}`, 3, 60 * 60_000);
+      if (!success) {
+        throw new TRPCError({
+          code: "TOO_MANY_REQUESTS",
+          message: "Too many inquiries. Please email partnerships@codu.co.",
+        });
+      }
+
       try {
         const { name, email, company, phone, interests, budgetRange, goals } =
           input;
@@ -64,7 +76,7 @@ export const sponsorRouter = createTRPCRouter({
         await sendEmail({
           recipient: adminEmail,
           htmlMessage,
-          subject: `New Sponsor Inquiry from ${company}`,
+          subject: `New Sponsor Inquiry from ${company || name}`,
         });
 
         return {

styles/globals.css

@@ -224,6 +224,25 @@ body {
   }
 }
 
+/* Bottom nav for ≤720px (top-bar nav is gone, left rail hidden). */
+.app-mobilenav {
+  display: none;
+}
+@media (max-width: 720px) {
+  .app-mobilenav {
+    position: fixed;
+    left: 0;
+    right: 0;
+    bottom: 0;
+    z-index: 40;
+    display: flex;
+    align-items: stretch;
+    border-top: 1px solid rgb(var(--color-hairline));
+    background: color-mix(in srgb, rgb(var(--color-canvas)) 92%, transparent);
+    backdrop-filter: blur(12px);
+  }
+}
+
 .dropdown-button {
   @apply inline-flex items-center justify-center border border-neutral-300 bg-white bg-gradient-to-r px-4 py-2 font-medium text-neutral-800 shadow-sm hover:bg-neutral-200 focus:outline-none focus:ring-2 focus:ring-offset-2 dark:border-neutral-600 dark:bg-neutral-900 dark:text-white dark:hover:bg-neutral-800;
 }